The present invention relates to the field of data communications and especially to verification of outgoing data.
A WWW server is an excellent target for hackers and for other miscreants who desire to have their exploits publicized. The server usually has a captive audience that downloads information (usually WWW pages) from the server. By modifying the information sent out by the server, such a miscreant publishes his exploits. For the owner of the server, the damage is disproportionatexe2x80x94the credibility of the server is severely reduced. In addition, erroneously published information may directly harm the server""s owner, for example, by misrepresenting prices of services. The server owner would like to be able to stand behind what is xe2x80x9cpublishedxe2x80x9d at the WWW site.
There appear to be two approaches in the art to avoiding interference with WWW services. A digital signature approach puts the onus on the receiver of a document (data) to verify that the document is what it purports to be. If the document does not match its attached signature, the receiver can assume that the document is bogus or corrupted. This solution, however, requires that the receiver be able to validate the document using the signature, typically requiring a copy of a public encryption key used by the signing protocol.
A security approach attempts to nullify the possibility of an outside break-in into the WWW server, for example using a firewall, so that it can be assumed that any information provided by the server is not adulterated by an outside hacker. Unfortunately, constructing a completely secure system is difficult, if not impossible, and miscreants are unusually creative in their efforts to xe2x80x9chackxe2x80x9d into supposedly secure systems. An even greater problem is internal security. A disgruntled employee can bypass many security features by working at his computer terminal, inside the server physical location or by using a password which is known to him.
In addition, some secure systems disseminate information to a requester only after the requester""s identity has been verified (usually using a password) and his permission to access the information confirmed.
Some types of firewall block requests for transmission of certain named files.
U.S. Pat. 4,672,572, the disclosure of which is incorporated herein by reference, describes various protection schemes for computer networks. One of the described schemes is a command filter which can monitor data transfers which pass through it and detect, block or modify sensitive information being transferred or sensitive commands from being carried out.
Recently, mail servers have been patched with software code that prevents the transmission of messages which appear to contain certain viruses.
The tripwire software and various virus detection software maintain a list of signatures of files. If one of the files is corrupted and does not match its signature, a system operator may be altered. In a virus detection system such a determination of mismatch may be made when a file is loaded into a computer memory for execution. In some systems, files are checked against their signatures periodically.
An object of some preferred embodiments of the invention is to assure the quality of data being published at a WWW site. In a preferred embodiment of the invention, incorrect content is prevented from being disseminated, irrespective of the manner in which it was generated (e.g., mistake, disgruntled employee or hacker).
An aspect of some preferred embodiments of the invention relates to a method of verifying, by a data provider, that data which is provided meets certain quality assurance criteria. In a preferred embodiment of the invention, data is checked before it is transmitted from the data provider, to determine if it meets the certain criteria. In a preferred embodiment of the invention, data is stamped with a digital signature. Preferably, the signature is determined by the time at which it is created and/or the time at which it is checked. Alternatively or additionally, the signature is determined based on the document contents. Thereafter, when the data is to be sent out, an output monitor checks that the data matches its signature. In some cases, some types of data may be stamped with a signature indicating that no quality assurance checking is to be performed. Preferably, the data is transmitted by Internet, for example using an HTTP protocol, an ftp protocol or an e-mail protocol. As used herein, the terms xe2x80x9cquality controlxe2x80x9d and xe2x80x9cquality assurancexe2x80x9d relate to how data is assembled, generated and/or approved for transmission, not to security considerations.
An aspect of some preferred embodiments of the invention relate to data redress by an output monitor. In a preferred embodiment of the invention, a copy of some or all the data which can be transmitted is stored at a secure location. When data is proscribed from being transmitted, for example for reason of it being tampered, the output monitor obtains a xe2x80x9ccleanxe2x80x9d copy of the data from the secure location and transmits the clean data instead. In some cases, the clean data may be more limited than the original data, for example a message which indicates that data is not being transmitted. Alternatively, proscribed data is not transmitted, so that transmitted WWW pages contain blank areas. Alternatively, a standard message is transmitted, to fill in the blank areas. Alternatively or additionally, the transmitted WWW page is modified so that the page appears not to be missing data and/or so that the distortion of the page is minimized. Alternatively, the altered data is allowed to go out, with an additional message, for example, to warn the user of possible corruption. An example of such a message is a disclaimer of warranty for the content of the data. Another example of a message is a warning that the data may be incorrect.
An aspect of some preferred embodiments of the invention relates to extending the data verification to a user of the data, preferably without an intermediate. In a preferred embodiment of the invention, a user can request that certain display objects be provided as verified objects. Alternatively or additionally, a user viewing program (for instance a browser) can indicate to a user if a displayed object is verified, bogus or does not require a signature.
An aspect of some preferred embodiments of the invention relates to extending the data verification to the verification of requests by a user. In a preferred embodiment of the invention, when a user request is received, the request is stamped so that it cannot be modified inside the server without the modification being detected. Thus, when the response to the request is sent out, it is possible to verify that the response matches the query, i.e., is appropriate and not corrupted.
There is therefore provided in accordance with a preferred embodiment of the invention, a method of data transmission comprising:
receiving a request for data over an Internet, by a data provider;
obtaining data, in response to said request, at said data provider;
assuring a quality of said obtained data, responsive to said request, at said provider; and
transmitting said data over said Internet responsive to said assurance. Preferably, assuring a quality comprises assuring that said data is pre-approved for transmission. Alternatively or additionally, assuring comprises verifying a digital signature of said data. Preferably, verifying comprises applying a public-key decryption to said digital signature. Alternatively or additionally, verifying comprises applying a secret-key decryption to said digital signature.
In a preferred embodiment of the invention, said assuring comprises comparing said data to said request. Alternatively or additionally, assuring comprises comparing said data to stored data. Alternatively or additionally, assuring comprises checking secure information associated with said data. Alternatively or additionally, assuring comprises checking a limited usage-code associated with said data. Preferably, said limited usage code comprises a time-limited code. Alternatively or additionally, said limited usage code comprises a usage number-limited code.
In a preferred embodiment of the invention, assuring comprises checking a one-way hash function of said data. Preferably, said one-way hash function comprises a checksum function.
In a preferred embodiment of the invention, assuring comprises analyzing a content of said data. Alternatively or additionally, transmitting said data comprises not transmitting said data if said quality is not assured. Alternatively or additionally, said transmitting said data comprises transmitting said data if said data does not require quality assurance. Alternatively or additionally, the method comprises redressing said data if said quality assurance fails. Preferably, redressing comprises replacing said data with verified data. Preferably, said verified data is a copy of the data which was to be obtained by said data provider. Alternatively said verified data is a not up-to-date copy of the data which was to be obtained by said data provider.
In a preferred embodiment of the invention, said data is part of a data transmission set and wherein redressing comprises modifying said data transmission set.
In a preferred embodiment of the invention, said data provider comprises an Internet server. Preferably, said data provider comprises a WWW server. Alternatively or additionally, said data provider comprises an FTP server. Alternatively or additionally, said data provider comprises a mail server.
There is also provided in accordance with a preferred embodiment of the invention, a method of data manufacture quality verification, comprising:
receiving a request for data;
performing a first data manufacturing step to generate first stage data;
signing said first stage data;
performing a second data manufacturing step on said first stage data to generate second stage data;
signing said second stage data; and
verifying said first and said second signatures. Preferably, said first signing comprises digital signing said first stage data. Alternatively or additionally, said verifying comprises verifying said first stage data prior to said performing a second data manufacturing step. Alternatively or additionally, said verifying comprises verifying both said first and said second signatures after performing said second data manufacturing step. Alternatively or additionally, said verifying comprises verifying as a part of a quality check prior to transmission of said manufactured data. Alternatively or additionally, said verifying comprises comparing said manufactured data to a data request for which said data is manufactured. Preferably, said data request is signed at receipt.
In a preferred embodiment of the invention, verifying said first stage data comprises verifying a signature on a program used for said first manufacturing step. Alternatively or additionally, said first stage signing is performed by a program which performs said first manufacturing step. Alternatively or additionally, said first manufacturing step comprises database querying. Alternatively or additionally, said first manufacturing step comprises retrieving data from a remote source. Alternatively or additionally, said first and said second manufacturing steps are performed at a computing site. Alternatively or additionally, the method comprises redressing said data if said verification fails. Preferably, said redressing comprises performing a backup data manufacturing process.
There is also provided in accordance with a preferred embodiment of the invention, a method of data corruption recovery, comprising:
detecting that data to be transmitted is corrupted, after said data is prepared for transmission and while transmitting said data;
redressing said data; and
transmitting said redressed data instead of said corrupted data. Preferably, said redressing comprises retrieving replacement data from a secured location. Preferably, said secured location contains a copy of said corrupted data. Alternatively or additionally, said secured location contains a previous version of said corrupted data. Alternatively or additionally, said secured location contains a less up-to-date copy of said corrupted data.
In a preferred embodiment of the invention, said redressing comprises retrieving replacement data from a remote location. Alternatively or additionally, said redressing comprises modifying a data transmission to not include a reference to said corrupted data. Alternatively or additionally, said redressing comprises manufacturing replacement data for said corrupted data. Alternatively or additionally, said redressing is transparent to a receiver of said data transmission.
In a preferred embodiment of the invention, said secured location contains a warning message used for redressing said data. Alternatively or additionally, said redressing comprises adding a warning message to said data transmission.
In a preferred embodiment of the invention, said data redressing is transparent to a unit which prepares said data. Alternatively or additionally, said data redressing is transparent to said transmitting. Alternatively or additionally, said data redressing is transparent to a reception of said data. Alternatively or additionally, said corruption of data is detected by checking a digital signature of said data. Alternatively or additionally, said corruption of data is detected after the data is prepared by an application layer of a communication system and before the data is transmitted via a physical layer of the communication system. Preferably, said corruption is detected by a separate hardware unit from a unit which prepares said data.
There is also provided in accordance with a preferred embodiment of the invention, apparatus for data transmission, comprising,
a data provider which provides data to be transmitted;
an output monitor which monitors said provided data, wherein said output monitor verifies a quality of said provided data. Preferably, the apparatus comprises an Internet connection for transmitting said data from said output monitor over said Internet. Alternatively or additionally, the apparatus comprises a data signing unit which signs on generated data. Alternatively or additionally, the apparatus comprises a data backup store in which a backup copy of data is maintained. Alternatively or additionally, said output monitor signs on received requests for data. Alternatively or additionally, said data provider comprises an e-mail program. Alternatively or additionally, said output monitor is integrated with a WWW server. Alternatively or additionally, said output monitor is integrated with a firewall. Alternatively or additionally, said output monitor is integrated with a hardware networking component. Preferably, said networking component comprises a bridge. Alternatively or additionally, said networking component comprises a router. Alternatively or additionally, said networking component comprises a gateway.
There is also provided in accordance with a preferred embodiment of the invention, a method of data transmission comprising:
receiving a request for data over a communication network, by a data provider;
obtaining data, by computer, in response to said request, at said data provider;
assuring a quality of said obtained data, by computer, responsive to said request, at said provider; and
transmitting said data over said communications network responsive to said assurance. Preferably, said communication network comprises a computer communication network. Preferably, said communication network comprises an Internet. Alternatively or additionally, said communication network comprises an Internet. Alternatively or additionally, said communication network comprises a local area network.
In a preferred embodiment of the invention, said communication network comprises a telephone network. Preferably, said telephone network comprises a cellular telephone network.
In a preferred embodiment of the invention, assuring a quality comprises verifying that said data matches a digital signature associated with said data.